Algeria’s Law 25-11: What DPOs, Breach Notification, and DPIAs Mean for Your Business

From Law 18-07 to Law 25-11: What Changed

Algeria’s original data protection law — Law 18-07 of June 10, 2018 — established the National Authority for the Protection of Personal Data (ANPDP) and defined basic processing principles. But it lacked breach notification requirements, mandatory Data Protection Officers, and any obligation to assess privacy risks before launching high-risk processing activities.

On July 24, 2025, the Algerian Parliament enacted Law No. 25-11, amending and supplementing Law 18-07. The update introduces five major obligations that bring Algeria’s framework significantly closer to the European Union’s General Data Protection Regulation (GDPR), while adding a criminal enforcement dimension that most GDPR implementations lack.

Mandatory Data Protection Officers

Law 25-11 requires organizations that process personal data at scale or handle sensitive categories to appoint a Data Protection Officer. The DPO must possess professional qualifications and expert knowledge in data protection law and practices. Their responsibilities include advising the data controller on compliance, monitoring internal policies, serving as the ANPDP’s point of contact, managing data protection impact assessments, and handling data subject requests for access, correction, and deletion.

The law protects DPO independence: they cannot receive instructions on how to perform their tasks and cannot be penalized for carrying out their duties. For Algeria, where very few organizations have had formal privacy functions, this creates both an urgent compliance challenge and a significant career opportunity across banking, telecommunications, healthcare, e-commerce, and government agencies.

Five-Day Breach Notification

Article 45 bis 8 of Law 25-11 introduces the most operationally demanding new obligation: data controllers must notify the ANPDP within five days of becoming aware of a personal data breach likely to result in risks to individuals’ rights and freedoms. The notification must describe the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken to address it.

If a controller cannot provide all required information immediately, progressive notification is permitted. Processors (subcontractors) must inform their data controllers of any breach as soon as they become aware. When a breach poses high risk to affected individuals, direct notification to those individuals is also required.

The practical implications are substantial. Organizations need incident detection capabilities, documented response procedures, pre-prepared notification templates for the ANPDP, and breach logging systems — even for incidents that fall below the notification threshold.

Data Protection Impact Assessments

Under Article 45 bis 6, organizations must conduct Data Protection Impact Assessments (DPIAs) before undertaking processing likely to result in high risks to individuals’ rights and freedoms. High-risk processing typically includes large-scale processing of sensitive data (health records, biometric data), systematic monitoring and surveillance, automated decision-making such as credit scoring, and new technology deployments involving personal data.

A DPIA must evaluate the necessity and proportionality of processing, assess risks to data subjects, and identify mitigation measures. If residual risks remain high after mitigation, the organization must consult the ANPDP before proceeding.

Biometric Data and Expanded Definitions

Law 25-11 introduces explicit definitions for biometric data, profiling, pseudonymisation, and data breaches — terms absent from the original Law 18-07. The biometric data definition covers data resulting from specific technical processing of physical, physiological, or behavioral characteristics that allows unique identification.

This matters directly in Algeria. The country already deploys biometric technology extensively: biometric national identity cards (CNIB) with fingerprints and facial photographs, biometric passports, biometric voter registration, and emerging fingerprint authentication in banking. By classifying biometric data as sensitive and requiring DPIAs for its processing, Law 25-11 ensures legal protections match the technological reality.

Processing Records and Accountability

Data controllers and processors must now maintain detailed records of all processing activities, including purposes, data categories, recipients, cross-border transfers, retention periods, and security measures. These records must be available to the ANPDP upon request, creating a documentation-based accountability mechanism that goes beyond simple legal compliance.

Penalties with Criminal Teeth

Law 25-11 establishes penalties that combine financial and criminal consequences. Fines range from 20,000 DZD (~$150) to 1,000,000 DZD (~$7,500) depending on the violation’s nature and severity. Criminal penalties reach two months to five years of imprisonment for the most serious violations, including unlawful processing of sensitive data and obstruction of ANPDP supervisory activities.

While the financial penalties are modest compared to the GDPR’s 4% of global annual turnover, the criminal dimension sets Algeria apart. In the regional context, Morocco’s Law 09-08 provides fines up to 300,000 MAD (~$30,000) with imprisonment up to two years for most violations, while Tunisia’s Organic Act No. 2004-63 includes penalties up to five years for the gravest infractions. Algeria’s combination of financial and criminal enforcement creates a multi-layered deterrent.

How Law 25-11 Fits Algeria’s Regulatory Architecture

Law 25-11 does not stand alone. It forms part of a regulatory convergence alongside two other 2025 developments: the draft Trust Services Law (approved by the Council of Ministers on November 2, 2025, covering digital identification and electronic signatures) and Bank of Algeria Instruction 06-2025 (published August 17, 2025, establishing the licensing framework for payment service providers). These three frameworks are interconnected — the PSP regulation requires customer data protection that Law 25-11 defines, while the trust services framework handles digital identity data subject to Law 25-11’s protections.

What Organizations Should Do Now

Immediate (0-6 months): Appoint or identify a DPO candidate. Conduct a data mapping exercise to understand what personal data your organization holds. Establish a documented incident response procedure capable of meeting the five-day notification window. Begin creating processing records.

Medium-term (6-18 months): Conduct DPIAs for high-risk processing, prioritizing biometric data, health records, automated decision-making, and surveillance systems. Implement technical security measures including encryption and access controls. Train all employees who handle personal data. Review and update third-party processor contracts.

The law includes no explicit grace period. While the ANPDP may initially prioritize guidance over enforcement, organizations that delay compliance assume legal risk from the date of entry into force.

Sources & Further Reading

• Algeria Data Protection Law 18-07 and Amendments — CookieYes
• Algeria Data Protection Law 18-07 and Amendments — Cookie-Script
• Data Protection and Cybersecurity Laws in Algeria — CMS Law Expert Guide
• Algeria: Law Modifying Data Protection Law Published — DataGuidance
• Algeria Fact Sheet — Data Protection Africa
• Algeria Amendment on Personal Data Protection Law — TUV Rheinland